- Acceptable use policy
- Contentful AI Terms of Service
- Digital Services Act
- DMCA takedown notice
- EU Data Act
- Marketplace terms
- Modern slavery and human trafficking statement
- Privacy at Contentful
- Service level agreement
- Terms of service
- Terms of service Developer Showcase
- Trademark and Brand Use Policy
- Trial Terms of Service
- Legal FAQ
- Security addendum
- Other versions of this document
EU Data Act
This page provides information in accordance with Article 28(1) of the EU Data Act (Regulation (EU) 2023/2854) regarding Contentful’s data processing services. It describes the jurisdiction applicable to our information and communications technologies (ICT) infrastructure and outlines the measures we have taken to prevent unlawful international access or transfer of data.
Jurisdiction of ICT infrastructure
Contentful's infrastructure is hosted primarily on Amazon Web Services (AWS). The default data residency location is the United States of America (primary region AWS N. Virginia (us-east-1) and secondary region AWS Oregon (us-west-2)). Where the customer has selected the EU data residency feature, the location is Ireland (primary region AWS Ireland (eu-west-1) and Germany (secondary region AWS Frankfurt (eu-central-1)). In order to ensure rapid delivery of content, Contentful uses a select number of Content Delivery Network (CDN) providers that briefly cache content in or near the location where the customer content is consumed.
Accordingly, the jurisdictions to which the ICT infrastructure deployed for data processing of Contentful’s individual services is subject are, as applicable: the United States; Germany; Ireland and the hosting locations of other sub-processors as set out on our Sub-processor Site.
Measures to prevent unlawful international access or transfer
Contentful has adopted the following technical, organisational, and contractual measures to prevent international governmental access to or transfer of data held in the European Union (EU) where such access or transfer would create a conflict with EU law or the national law of the relevant Member State.
Technical measures
A detailed description of Contentful’s technical security measures is set out in our Security Addendum. Technical measures include, in particular: (i) encryption: customer content is encrypted at rest and in transit using strong industry-standard encryption protocols; and (ii) access controls: access to the infrastructure that supports the Contentful services follows the principle of least privilege, limiting access based on job function necessity.
In addition, customers may select the EU data residency feature which allows customers to store their content and user profiles in the EU data residency region, instead of the default US data residency region.
Organisational measures
Contentful’s internal policy on government requests for data held in the EU is to notify the affected customer and direct the requestor to the relevant customer where legally permitted to do so. Contentful’s Legal team will review all such requests to ensure they are legally valid and binding. Contentful will comply with a request only if we determine that it is lawful and follows a valid legal process. Where we are legally required to respond, we will seek to produce only the minimum amount necessary based on our reasonable interpretation of the request.
Contentful provides training and awareness to staff on data protection obligations and our security and compliance teams conduct regular reviews of policies and procedures to ensure adherence to applicable laws.
Contractual measures
As per contracts between Contentful and its customers, Contentful customers own customer content (i.e. any data or content submitted to and managed by the customer in the Contentful platform) and customers grant a licence to Contentful to use that content solely to provide the services to the customer.
Contentful’s contracts with its suppliers include restrictions on using the data other than to provide the service to Contentful.
EU Data Act Addendum
Contentful makes available below an EU Data Act Addendum that includes all contract terms required under the Act. For further information regarding the EU Data Act and the Contentful EU Data Act Addendum, please see our FAQs here.
Contentful has incorporated an EU Data Act Addendum into our contract templates for Contentful GmbH customers. Other Contentful customers who require an EU Data Act Addendum or customers whose agreement doesn’t contain the EU Data Act Addendum may download and electronically sign the Contentful EU Data Act Addendum by clicking on the links below. Please select the Contentful entity with which you signed the underlying agreement for the Subscription Services.